Stablecoin Issuer Banking Architecture: Reserve, Operating, and Redemption Rails Under MiCA

A MiCA e-money token issuer cannot run on a single bank account. The regulation forces a three-layer banking architecture — a segregated reserve account, an operating account for the issuer's own funds, and a dedicated redemption rail capable of honouring par-value redemption on T+0. Get the segregation wrong and the Art. 36–38 daily attestation fails — and with it, your authorisation.

This is not theoretical. The EBA and ECB have published technical standards, liquidity-stress guidelines, and supervisory expectations that turn the high-level reserve duty into a granular operational programme — composition caps, qualified-custodian splits, intra-day reconciliation, third-party auditor sign-off, and public disclosure. The banking architecture is the physical embodiment of that programme.

What follows is the EMT Reserve Banking Stack — the layered model that issuers, treasury teams, and their bankers are converging on as MiCA enforcement bites. We cover the three layers, the asset-composition rules, the qualified-custodian split, the daily attestation pipeline, the stress-test posture, and the three failure modes that supervisors actively look for.

Under the Markets in Crypto-Assets Regulation¹, an ^[1]e-money token (EMT) is treated as electronic money issued on a distributed ledger. Issuance is restricted to authorised credit institutions or authorised electronic money institutions (EMIs). The novelty is not the licence — it is the reserve, segregation and redemption regime layered on top.

Three regulatory duties combine to force the three-layer architecture. First, MiCA Art. 36 requires that 100% of funds received against EMTs are held in a reserve composed of permitted assets. Second, EMD2 Art. 7 — the safeguarding directive² — requires those reserves to be ^[2]segregated from the issuer's own funds so they are insolvency-remote. Third, MiCA Art. 39 gives holders a permanent right of redemption at par value, at any time, free of charge — a duty that demands dedicated liquidity rails.

A single banking layer cannot simultaneously hold composition-restricted reserves, route operational expenses, and clear retail-grade redemption demand. The architecture splits by function, counterparty, and risk weight — and the audit trail must show that split is real, not nominal.

The bank's role also changes by layer. The reserve bank is a custodian of client money with an explicit duty to acknowledge the segregated status. The operating bank is a commercial relationship — credit lines, payroll, vendor payments. The redemption bank is a payments processor judged on rails and uptime. Three roles, three risk profiles, three different conversations with three different relationship managers.

Issuers that try to consolidate the layers at one banking group — even via separate IBANs — almost always end up rebuilding the architecture under remediation pressure. The institutional-credit story to a single bank required to hold both the reserve and the redemption float is so concentrated that supervisors flag it as a single-point-of-failure risk during the authorisation review itself.

The reserve account is the single most regulated cash account in EU fintech. Its composition, segregation and reporting are spelled out in MiCA Art. 36–38 and the EBA Final Draft RTS on reserve assets³.^[3]

Eligible assets are tightly limited. At least 30% must sit in bank deposits of the EMT's reference currency (rising to 60% for significant EMTs). The remainder must be in highly liquid financial instruments with minimal market, credit and concentration risk — in practice, short-dated Level 1 HQLA sovereign paper held with a qualified custodian.

Reserve accounts must be named, designated and legally insolvency-remote from both the issuer and its banking counterparty. In practice this means a trust-style designation in the account-opening pack, a written acknowledgement letter from the bank waiving set-off rights, and segregated sub-ledgers per EMT series.

Art. 36(11) requires the issuer to publish the value and composition of the reserve on a daily basis and to arrange for at least quarterly independent audit of those numbers. That cadence drives the banking choice as hard as the asset mix — the bank must be able to deliver end-of-day balance and instrument files into the issuer's reconciliation pipeline every business day, on time, in a machine-readable format.

The operating account holds the issuer's own funds — share capital, retained earnings, working capital, payroll, vendor payments, audit and legal fees. It is the only layer that may be used to absorb operating losses or pay dividends.

The architectural rule is brutal: not one euro of client redemption flow may transit this account. The EMD2 safeguarding carve-out treats commingled funds as prima facie unsafeguarded — meaning a single mis-routed batch can trigger a supervisory enforcement action even if the headline ratio is healthy.

In practice, EMT issuers run the operating account at a different bank from the reserve — usually a Tier-2 commercial bank that has appetite for fintech corporate banking but is not asked to absorb reserve-sized deposits. Treating the layers as different counterparties, not different IBANs at one bank, is what makes the segregation visible to an external auditor.

Redemption is the unique pressure point of an EMT — and the one most likely to break under stress. MiCA Art. 39 guarantees holders the right to redeem at par value, at any time, free of charge. The implicit operational target is T+0 settlement — same-day fiat in the holder's account.

That cannot be achieved by raiding the reserve. The reserve sits in a custodied HQLA portfolio whose settlement cycles are T+1 at fastest. Issuers therefore stand up a dedicated redemption rail — a warm cash buffer of 5–15% of outstanding EMT supply held at a bank that offers 24/7 SEPA Instant or direct rail access, replenished from the reserve on a rolling basis.

The redemption bank is functionally a payments bank, not a deposit bank — selected on rail breadth (SEPA Instant, SEPA SCT, SWIFT, TARGET2, FPS for GBP), uptime, payout SLAs and operational support, not on deposit rate. Many issuers run a two-bank redemption setup — a primary and a hot-failover — so a single bank outage cannot block Art. 39 performance.

The redemption rail is also the layer most exposed to AML and sanctions screening pressure. Every outbound payout is a customer-of-customer transaction from the bank's point of view, with the issuer in the role of a payment institution-style intermediary. Banks that take redemption mandates expect mature sanctions screening, Travel Rule integration and case-management tooling before they will open the rail at scale.

Operationally, the redemption-rail bank also typically supports named virtual IBANs so that issuance and redemption requests can be matched against on-chain mint and burn events deterministically. The matching engine sits between the bank API and the smart-contract layer, and is itself a regulated piece of the architecture under DORA ICT-risk rules.

Concentration caps are doing as much work as the asset-class list. A 25% per-bank limit on the deposit sleeve means a significant EMT issuer cannot run with fewer than three reserve banks. That single rule reshapes the entire banking-relationship strategy.

Daily attestation is the operational backbone of Art. 36 compliance. It is not a finance-month-end exercise — it is a T+1 process producing publishable numbers that an auditor can sign off.

The pipeline runs in four stages: end-of-day pulls from each reserve bank and custodian; on-chain supply reconciliation against the EMT's circulating supply; composition and concentration check against Art. 36 caps; and public disclosure of the attested reserve report on the issuer's website.

The EBA Guidelines on liquidity stress testing⁴ ^[4]layer on top of the daily attestation — issuers must run forward-looking liquidity scenarios against the reserve and demonstrate that the redemption rail can absorb plausible stress events. Quarterly internal stress + at least annual supervisor-reviewed stress.

Quarterly independent audit closes the loop. The auditor reviews reconciliation logs, exception handling, bank acknowledgement letters, custodian statements and the published reports — and signs an attestation that the reserve composition and value match what was disclosed.

The single biggest pipeline failure mode is the weekend and bank-holiday gap. On-chain supply moves 24/7; banks settle on business days. The pipeline must reconcile against a frozen end-of-day snapshot of circulating supply, with explicit handling of weekend mint and burn events that have no banking counterpart until Monday open. Supervisors will ask exactly how that gap is reported.

Disclosure format matters. The Art. 36(11) report should publish composition by asset class, by counterparty, by maturity bucket and by currency — not a single net asset value. Machine-readable formats are increasingly expected so that exchanges, market-makers and downstream auditors can ingest the file directly.

MiCA recognises that a stablecoin issuing €5M is not the same animal as one issuing €5B. Art. 43 introduces the significant token classification — once an EMT crosses defined thresholds it is moved under direct EBA supervision, with materially tighter reserve and own-funds rules. The banking architecture must anticipate that scaling, not retrofit it.

Article 38 governs the custody of reserve assets and is where the architecture splits between two counterparty types: credit institutions for bank deposits, and authorised custodians for financial instruments. A single bank cannot lawfully hold both legs of the reserve at scale.

Once the per-bank deposit cap bites, the HQLA sleeve has to be custodied separately — typically with an ICSD or a regulated MiFID II custodian able to hold sovereign paper, deliver T+0 sale, and produce daily holdings statements in the issuer's reconciliation format. The custodian sits alongside, not beneath, the reserve banks.

For significant EMTs supervised under the ECB SREP⁵ ^[5]perimeter, the custodian must itself be a regulated EU entity with a documented business continuity plan and substitutability — the supervisor will ask how the issuer would migrate the HQLA sleeve if the custodian failed.

The split also matters for insolvency analysis. Sovereign bills held with a custodian are typically client assets — outside the custodian's balance sheet — while bank deposits are unsecured claims on the bank. The architecture deliberately balances bail-in risk against settlement convenience.

Practitioners should pay particular attention to the tripartite documentation between issuer, custodian and reserve banks. The legal opinions need to confirm that the HQLA pool is identified, segregated and reconcilable with no rehypothecation rights granted to the custodian, and that the bank holding the deposit sleeve has signed an explicit set-off waiver so client funds cannot be netted against issuer liabilities.

Operationally, the HQLA sleeve also brings market-risk monitoring into the issuer's day-to-day. Even sub-90-day sovereign bills carry mark-to-market movement, and the daily attestation must reflect that — at fair value, not amortised cost — to avoid the appearance of over-reporting reserve coverage in volatile rate environments.

The defining scenario for any EMT issuer is a sudden coordinated redemption — exchanges, market-makers and retail holders all hitting the redemption button in the same 24-hour window. The EBA liquidity-stress guidelines require issuers to model that scenario explicitly.

The benchmark to plan against is a 30% redemption in 24 hours and 50% within five business days — drawn from observed stress events in the stablecoin sector. To survive that envelope, the architecture must support:

• A warm cash buffer of 5–15% on the redemption rail, replenished in-day from sight deposits.

• Pre-arranged T+0 repo lines against the HQLA sleeve to monetise the sovereign portfolio without forced sales.

• Operational sweep limits and SEPA Instant throughput pre-cleared with the redemption banks so retail payouts do not hit instrument-level caps.

• A documented recovery plan — required for significant EMTs — specifying the order of liquidity drawdowns, communication protocol, and supervisor notification triggers.

Mass-market EMTs are increasingly evaluated by reference to the CPMI-IOSCO Principles for Financial Market Infrastructures⁶ — particularly the principles on liquidity risk, settlement finality and operational risk — even before any formal FMI designation.^[6]

Operating costs paid out of the reserve account, or client redemption flow transiting the operating account, both fail EMD2 safeguarding instantly. The defence is named accounts with hard system-level controls — no manual journal can move funds across the layers without dual sign-off and a logged justification.

Running the reserve at a single bank breaches the per-counterparty concentration limits and exposes the EMT to bail-in risk under the Bank Recovery and Resolution Directive. Diversification is not optional — it is the substantive content of the Art. 36 rules.

Stretching the HQLA sleeve out to 2–3 year sovereigns to chase yield destroys the assumed liquidity profile. Under stress the issuer is forced to sell at a discount, breaking the par-value commitment. Keep the HQLA sleeve short — sub-90-day where possible — and never let portfolio yield optimisation override redemption-rail design.

At a minimum, three functional layers: a segregated reserve account at a Tier-1 EU clearing bank, a separate operating account at a different bank for the issuer's own funds, and a redemption rail with 24/7 SEPA Instant capability. For mid- to significant-sized EMTs, add a qualified custodian for the HQLA sleeve and a second bank in each layer.

No — not above a small scale. The per-bank deposit concentration cap in the EBA RTS and the requirement for sufficiently diversified counterparties both bite once outstanding supply grows. Significant EMTs typically need at least three reserve banks and a qualified custodian.

MiCA Art. 39 requires redemption at par, at any time, free of charge. There is no fixed maximum window in the article itself, but supervisory expectation — and the EBA liquidity-stress framework — points to T+0 for typical retail amounts via SEPA Instant. Anything slower invites enforcement.

An EMT references a single fiat currency and is governed by Title IV of MiCA — close to e-money rules. An ART (asset-referenced token) references a basket of assets, currencies or commodities, and is governed by Title III — with materially heavier reserve, governance and disclosure rules. The banking architecture follows the same three-layer logic, but the HQLA sleeve composition differs.

A third-party independent auditor — at least quarterly — reviewing reconciliation logs, bank acknowledgement letters, custodian statements and the published reserve reports. The auditor's attestation is the document supervisors rely on to confirm the daily disclosures are accurate.

• MiCA Compliance Guide for CASPs: Full MiCA authorisation walkthrough including ART/EMT-issuer prudential obligations.

• EMI Safeguarding Architecture: EMD2 Art. 7 safeguarding playbook that the EMT reserve regime sits on top of.

• The Three-Bank Resilience Standard: Multi-bank diversification approach for regulated fintechs — the operational mirror of the Art. 36 concentration caps.

• Multi-Currency Treasury Operations: Treasury management techniques used by CASPs and stablecoin issuers across EUR, USD and GBP rails.

The institutions that will dominate the next phase of European stablecoin issuance are not those with the slickest brand — they are those that engineered the banking stack before the marketing campaign. Three layers, three counterparty types, daily attestation, a real redemption rail, and a stress posture that survives a 30/50 run. Build that, and the regulator becomes a partner rather than a threat. Skip a layer, and the next supervisory letter writes itself.